SCOM 2012: Authoring UNIX/Linux Log File Monitoring Rules
Log File Monitoring Scenarios
These examples assume the use of the UNIX/Linux Authoring Library example MP. For more information on creating and building the MP authoring project, see Getting Started.
Alerting on Log File Events for a Role
This example demonstrates log file monitoring. The specified log file (/var/myapp/mylog.log) is scanned for new lines that match the defined Regular Expression. If a match is found, an alert is generated. The IndividualAlerts parameter defines whether or not each matched line should be treated as an individual DataItem. The SuppresionValue element of the Alert properties defines the suppression behavior for new alerts when an existing alert is open.
Note: contents located between pairs of ## characters should be customized for your environment. This includes ID and property values. Be sure to remove the ## characters before building the MP.
<ManagementPackFragment SchemaVersion="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Monitoring>
<Rules>
<Rule ID="##MyMP.MyLogFile.Rule##" Target="##MyMP.MyCustomRole##" Enabled="true" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Alert</Category>
<DataSources>
<DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.VarPriv.DataSource">
<Host>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</Host>
<LogFile>##/var/myapp/mylog.log##</LogFile>
<UserName>##$RunAs[Name="Unix!Microsoft.Unix.ActionAccount"]/UserName$##</UserName>
<Password>##$RunAs[Name="Unix!Microsoft.Unix.ActionAccount"]/Password$##</Password>
<RegExpFilter>##^Error##</RegExpFilter>
<IndividualAlerts>##false##</IndividualAlerts>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertMessageId>$MPElement[Name="##MyMP.MyRole.MylogFile.Rule.AlertMessage##"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>##$Data/EventDescription$##</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue />
</Suppression>
</WriteAction>
</WriteActions>
</Rule>
</Rules>
</Monitoring>
<Presentation>
<StringResources>
<StringResource ID="MyMP.MyRole.MylogFile.Rule.AlertMessage" />
</StringResources>
</Presentation>
<LanguagePacks>
<LanguagePack ID="ENU" IsDefault="true">
<DisplayStrings>
<DisplayString ElementID="MyMP.MyLogFile.Rule">
<Name>##My Custom Log File Rule##</Name>
<Description>##Alerts when new matched Error lines are found in mylog.log##</Description>
</DisplayString>
<DisplayString ElementID="MyMP.MyRole.MylogFile.Rule.AlertMessage">
<Name>##Error event found in mylog.log##</Name>
<Description>##{0}##</Description>
</DisplayString>
</DisplayStrings>
</LanguagePack>
</LanguagePacks>
</ManagementPackFragment>
Alerting on Correlated Log File Events (Multi-Line)
This examples demonstrates multi-line/correlated log file monitoring. If both the FirstLogExpression and SecondLogExpression Regular Expressions are matched in the log file, within the CorrelationInterval (seconds), an alert will be generated.
For additional information about the Data Source used in this example, review the documentation of the following Data Source in the Unix.Authoring.Library Module Reference:
- UNIX/Linux Timed Shell Command Property Bag Data Source
*Note: contents located between pairs of ## characters should be customized for your environment. This includes ID and property values. Be sure to remove the ## characters before building the MP.
*
<ManagementPackFragment SchemaVersion="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Monitoring>
<Rules>
<Rule ID="##MyMP.CorrelatedLog.Rule##" Target="##Unix!Microsoft.Unix.Computer##" Enabled="true" Remotable="true">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="UnixAuth!Unix.Authoring.CorrelatedLogFile.DataSource">
<TargetSystem>
$Target/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$
</TargetSystem>
<UserName>##$RunAs[Name="Unix!Microsoft.Unix.PrivilegedAccount"]/UserName$##</UserName>
<Password>##$RunAs[Name="Unix!Microsoft.Unix.PrivilegedAccount"]/Password$##</Password>
<LogFile>##/var/myapp/myapp.log##</LogFile>
<FirstLogExpression>##firststring##</FirstLogExpression>
<SecondLogExpression>##secondstring##</SecondLogExpression>
<CorrelationInterval>##1800##</CorrelationInterval>
<IndividualAlerts>##true##</IndividualAlerts>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="Health!System.Health.GenerateAlert">
<Priority>##1##</Priority>
<Severity>##1##</Severity>
<AlertMessageId>
$MPElement[Name="##MyMP.CorrelatedLog.Rule.AlertMessage##"]$
</AlertMessageId>
<AlertParameters>
<AlertParameter1>##$Data///EventDescription$##</AlertParameter1>
</AlertParameters>
<Suppression>
##<SuppressionValue />##
</Suppression>
</WriteAction>
</WriteActions>
</Rule>
</Rules>
</Monitoring>
<Presentation>
<StringResources>
<StringResource ID="##MyMP.CorrelatedLog.Rule.AlertMessage##" />
</StringResources>
</Presentation>
<LanguagePacks>
<LanguagePack ID="ENU" IsDefault="true">
<DisplayStrings>
<DisplayString ElementID="##MyMP.CorrelatedLog.Rule##">
<Name>##My Correlated Log File Rule##</Name>
<Description>##Alerts when multiple expressions are matched within an interval in my log file##</Description>
</DisplayString>
<DisplayString ElementID="##MyMP.CorrelatedLog.Rule.AlertMessage##">
<Name>##Both firststring and secondstring were matched in mylog.log within the defined interval##</Name>
<Description>{0}</Description>
</DisplayString>
</DisplayStrings>
</LanguagePack>
</LanguagePacks>
</ManagementPackFragment>